The President's Critical Infrastructure Protection Board 



THE NATIONAL 
STRATEGY TO 




SECURE 
CYBERSPACE* 



• i»Tiit»ia >»•> 



DRAFT 




DRAFT 



CONTENTS 



Introduction 1 

Cyberspace Threat and Vulnerabilities: A Case for Action 3 

National Policy and Guiding Principles 7 

Highlights 11 

H Level 1: Home User and Small Business 15 

m Level 2: Large Enterprises 19 

it Level 3: Critical Sectors 

Federal Government 23 

State and Local Government 31 

Higher Education 33 

Private Sector 35 

M Level 4: National Priorities 39 

it Level 5: Global 49 

Summary of Recommendations 53 

Acronyms 57 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 




DRAFT 



le President's Board solicit 



country on what ar 



Strategy. The accumulated 
questions were then placed on web pages sponsored by a government 
agency, an association, and a private organization. Many citizens offered 
their views. This initial release of the Strategy proposes answers for most 
of the questions and places others in "Agenda Boxes" for continued 
national dialogue. 

As a further part of the national dialogue, the President's Critical 
Infrastructure Protection Board hosted public town meetings in the spring 
of 2002, prior to the initial release of the Strategy These meetings were 

In addition, the Commerce Department's Critical Infrastructure Assurance 

officials from several States, which included national-level conferences 
held in Austin, Texas, February 12-13, 2002, and Princeton, New Jersey, 
April 23-24, 2002. 

Following the Internet launch of the initial release, additional town meet- 
ings and State forums may be held as part of the effort to maintain 



The National Strategy to Secure Cyberspace 
Supplements other Strategies 

The National Strategy to Secure Cyberspace supplements the National 
Strategy for Homeland Security and the National Security Strategy of the 
United States. Its "Policy and Principles" section, together with President 
Bush's Executive Order 13231, provides the Administration's policy guid- 
ance on cyberspace security 



Town Hall Meetings Held: 

• Portland, Oregon • Atlanta, Georgia 

Future Town Hall Meetings Planned For: 



The President's Critical 
Infrastructure Protection Board 

a review initiated at the outset of the Administration, President 
signed Executive Order 13231 {Critical Infrastructure Protection in 
Age) in October, 2001 creating the President's Critical 
otection Board. The Board is the central focus in the 
^ for cyberspace security. It is composed of senior 
Dre than 20 departments and agencies. The President 
littees that report to the Board 
Research, Incident Response, and 



Some sections of this Strategy are more detailed than others. However, as 
the Strategy evolves in subsequent editions, it will attempt to address all 
of the major problems of cybersecurity in appropriate detail. The Strategy 
is a roadmap for the Administration, the Congress, State and local 
governments, sectors of the economy, higher education, and the 

Administration itself. The Strategy does not substitute for the normal 
decision-making process about budgets and policies. While there are 
many recommendations in the Strategy that do not require additional 
resources, those that do will be considered in the normal processes. Many 
of the recommendations will become the work of the President's Critical 
Infrastructure Protection Board and its interagency committees. 
Subsequent editions of the Strategy will reflect the decisions made in the 
FY04 budget process and the work of the Board and its committees, as 
well as progress by individual departments and agencies. 

Strategy for Cyberspace, in Cyberspace 

The printed version of this release references places in cyberspace where 

may be found. Because of size limitations, the hard copy does not contain 
the text of all references. However, the online version contains hyperlinks 
to referenced materials. In this paper document, you will find these core 
components of the Strategy: 

• the Case for Action: Cyberspace Threats and Vulnerabilities; 

• the Policies and Principles Guiding the Strategy; 

• Highlights of the Strategy; and, 




In the paper document, "Recommendations and Programs and 
Discussions" will be summarized at the end of each level. Over time, 
"Discussions" should either result in "Recommendations" or end with no 
action. Similarly, "Recommendations" should evolve. In some instances 
they might become initiatives undertaken by individuals or private organi- 
zations. In other cases, they may become efforts or programs sustained by 
government. Because of the changing nature of cyberspace some of the 
recommendations might be discarded if, on closer examination, they are 
determined not to be feasible or cost effective as programs. Subsequent 
releases of the Strategy will update these outcomes. 



to documents ar 
nt organizations, trade associations, academic 
governments, and corporations. Their content 

'lews by the Federal government. They are 
) the benefits of the Inform 



in Technology 
e next level of 



BERSPACE 



DRAFT 



A Range of Threats 

ture. They range frc 



n "script kiddies" who download malicious software 
carry out the equivalent of annoying graffiti attacks 
in cyberspace; to hackers who merely want to demonstrate their destruc- 
tive skills; to trusted "insiders" who exploit their access to computer 
systems to cause damage; to criminal organizations that engage in fraud, 
extortion, and theft in cyberspace; and to terrorists and potential enemy 
nation states spying on us now, and developing plans that would enable 
them, in a future conflict, to damage our economy and weaken or control 
the physical and cyber systems the United States needs to fight back. 

Identifying those who did or might attack provides an opportunity to not 
only stop them and bring them to justice (whether, for example, through 
arrests in the case of criminals, or military means in the case of acts of 
information warfare), but also to learn their skill sets and better focus 
national protection efforts. 



Consider the Following Scenario... 

A terrorist organization announces one morning tliat they will 
shut down the Pacific Northwest electrical grid for six hours 
starting at 4:00PM; they then do so. The same group then 
announces that they will disable the primary telecommunica- 
tion trunk circuits between the U.S. East and West Coasts for a 
half day; they then do so, despite our efforts to defend 
against them. Then, they threaten to bring down the air traffic 
control system supporting New York City, grounding all traffic 
and diverting inbound traffic they then do so. Other threats 
follow, and are successfully executed, demonstrating the 

Finally, they threaten to cripple e-co 



million 



ral hi 



sactior 



it of 



What makes this scenario both interesting and alarming is thai 
all of the aforementioned [types of] events have already 
happened, albeit not concurrently nor all by malicious intent. 
They occurred as isolated events, spread out over time; some 
during various technical failures, some during simple exer- 
cises, and some during real-world cyber attacks. All of them, 
however, could be effected through remote cyber attack... 



While the nation must deal with specific threats, waiting to fix any 
important vulnerability in the critical infrastructure until learning of an 
impending attack by an identified attacker is an unacceptably risky 
strategy for potential victims. Both the Code Red and NIMDA cyber 



?d professior 



majority of security vulnerabilities can be mitigated with good security 
practices. As these survey numbers indicate, good security practices 
include not just installing those devices, but operating them correctly an 
keeping them current, including regular patching and virus updates. 



A Mapping of Code Red Penetration 
on a Portion of the Internet 



Identifying vulnerabilities by having a group of 1 
complete an information technology security audit can take 2-3 months. 
Remedying the most serious vulnerabilities by creating a multi-layered 
defense and a resilient network may take several additional months. Then 
the process must be regularly repeated. 

New Vulnerabilities Requiring 
Continuous Response 

The process of securing networks and systems must be continuous 
because new vulnerabilities are created or discovered regularly. CERT/CC 
notes that not only are cyber incidents and the number of attacks 
increasing at an alarming rate, so too are the number of vulnerabilities 
that an attacker can utilize. Identified computer security vulnerabilities — 
problems with software and hardware that permit unauthorized entry or 
damage to a network— more than doubled in the last year, with 1,090 
separate vulnerabilities reported in 2000, and 2,437 reported in 2001 . 
Installing a network security device is not a substitute for a constant focus 
on keeping defenses up to date. In a recent survey by the Computer 
Security Institute, 90 percent of respondents used anti-virus software, but 




the University of California. 

Cybersecurity and Opportunity Cost 



improving computer security often requires inv 
money President Bush requested that Congres 
Federal computers by 64 percent in FY03. 



eventually reduce expenditures through cost saving E-Government solu- 
tions, modern enterprise management, and by reducing opportunities for 
waste and fraud. 

For the national economy and, in particular, for the information 
technology industry, the dearth of trusted, reliable, secure information 
systems is a barrier to future growth. Much of the promise and potential 
of continued growth in the economy, as a result of the Information 
Technology Revolution, has yet to be realized. That unrealized opportunity. 



ability in cyberspace places 



deterred by computer security ri; 



DRAFT 




DRAFT 



NATIONAL POLICIES 
AND GUIDING PRINCIPLES 



The National Strategy to Secure Cyberspace supplements the Nation. 
Strategy for IHomeland Security and the National Security Strategy oi 
United States. This "Policy and Principles" section, together with Pre 
Bush's Executive Order 13231, provides 
ance on cyberspace security. The policy 
in this Strategy are subject to Executive Order 13231 and other relevant 
Executive orders relating to national security and nothing herein alters the 
authorities, roles or responsibilities of U.S. government officials under the 
National Security Act or other relevant statutes. 

This document is the first ever National Strategy to Secure Cyberspace. 
The purpose of the Strategy is to engage, empower, and establish efforts 
to secure cyberspace. Engaging and empowering America to secure 
cyberspace is an exceedingly complex mission that requires coordinated 
and focused effort across society— the Federal government. State and 
local governments, the private sector, and the American people. The 
Strategy seeks to implement the President's national policy objectives and 
principles for securing cyberspace. 

Statement of National Policy 

The Information Technology Revolution has changed the way business is 
transacted, government operates, and national defense is conducted. 
Those three functions now depend on an interdependent network of 
critical information infrastructures — cyberspace. 
Continuous efforts to secure information systems for critical infrastruc- 
ture, including emergency preparedness communications, and the physical 
assets that support such systems are needed to minimize disruption and 



• the Federal government to perform key homeland security and 
national security missions, and to ensure the general public 
health and safety; 




• the private sector to ensure the orderly func- 
tioning of the economy and the delivery of 
essential infrastructure services. 
This policy acknowledges that no security measures will be 
1 00 percent reliable. Nonetheless, it strives to ensure that 
any interruptions or manipulations of these critical func- 
tions will be infrequent, brief, manageable, geographically 
isolated, and minimally detrimental to the welfare of the 



been physically and logically separate systems with little 
interdependence. Advances in information technoiogy a 
the necessity of improved efficiency however, have prec 
tated a steadily and rapidly increasing amount of 
automation in, and interconnection among, these syster 

The USA PATRIOT Act defines critical infrastructure as 
those "systems and assets, whether physical or virtual, s 
vital to the United States that the incapacity or destructi 
of such systems and assets would have a debilitating 
impact on security, national economic security, national 
public health or safety, or any combination of those matters." America's 
critical infrastructures include energy (electric power, oil and gas), trans- 
portation (rail, air, merchant marine), finance and banking, information 
and telecommunications, public health, emergency services, water, chem- 
ical, government, defense industrial base, food, agriculture, and postal 
and shipping. 




enemies of the United States — nations, groups, and, indeed, even 
individuals — are prepared to strike in unconventional ways. These 
adversaries have explicitly stated the intention, not only to strike at 
U.S. citizens, but to attack the nation's infrastructures and cyberspace— 
the pillars of the economy 



lis Strategy also recognize 



ig the integrity of th 



Guiding Policy Principles 



rity of information systems, but also to the related societal 
)n which those systems depend. Accordingly the Strategy 
native measures designed to enhance and augment 
these supporting structures. 

Though the United States possesses both the world's strongest military 
and largest national economy, these two aspects of the nation's power 
increasingly rely upon certain critical infrastructures, which include 
cyber-based information systems. As witnessed on September 11, 



In January 2001, the Administration began a review of the role of infor- 
mation systems and cybersecurity. In October 2001, President Bush issued 
Executive Order 13231, which authorized a protection program consisting 
of continuous efforts to secure information systems for critical infrastruc- 
ture, including emergency preparedness communications, and the physical 
assets that support such systems. The protection of these cyber systems is 
essential to every sector of the economy The development and imple- 
mentation of this program directive has been guided by the following 
organizing principles: 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 





Embrace Private-Public Partnerships 

bility since approximately 85 percent of tlie nation's critical infrastructure 


Safeguard Civil Liberties and Privacy Cooperate with State and Local Governments 

one another. Indeed, to a large degree, by securing the integrity of government in which State governments share power with Federal 




government operations depend on ttiese private facilities. 


Strategy seek to protect individual privacy and, thus, complement those nance has more than 87,000 different jurisdictions and provides unique 




likely include both facilities in the economy and those in the government, 


rity, one must exercise caution to avoid undermining those fundamental governments, like the Federal government, operate large, interconnected 




approaches that span both the public and private sectors, and protect 


values and characteristics of free society that the nation is seeking to information systems upon which critical government sen/ices depend, 
protect in the first place. Accordingly, care must be taken to respect The opportunity comes from the expertise and commitment of local agen- 




been intensively engaged in a closely coordinated effort with the Federal 
government to address these issues. One important step taken by many 
sectors has been the development of information sharing and analysis 
centers (ISACs) to facilitate communication and the dissemination of 


privacy interests and other civil liberties. Consumers and operators must cies and organizations involved in cybersecurity. The challenge is to 

tially, and reliably. rather than duplicative and that ensure essential requirements are met. 

. , _ Accordingly, all critical infrastructure and cyberspace protection plans and 
Coordmate with Congress ^. , „ ^ , ■ ^ .j . j ^ j i- 

actions shall take into consideration the needs, activities, and responsibili- 

To ensure that the approaches adopted to secure America's cyberspace ties of State and local governments and first responders. 




security-related information. In addition, various sectors have developed 
plans to secure their parts of cyberspace, which complement this National 

and collaborative partnership will continue. 

The nation must focus on mechanisms for prevention and crisis manage- 
ment, such as the identification and remediation of vulnerabilities. 


systems enjoy broad support and consensus, the Executive branch will 
work with Congress on approaches and programs to meet the goals of 
our national policy. As appropriate, the Executive branch may ask 
Congress to enact legislation to advance this Strategy 




education, research and development, alert and warning methodologies, 
and the development of measures to support these efforts. To that end, 
private sector owners and operators should be encouraged to provide 








maximum feasible security for the infrastructures they control, and to 
provide the government with the information necessary to assist them in 


CRITICAL INFRASTRUCTURE LEAD AGENCIES 




that task. For its part, the Federal government, in working to safeguard its 
own information systems, should strive to serve as a model to the private 


LEAD AGENCY 


SECTORS 




sector on how infrastructure assurance is best achieved and shall, to the 
greatest extent possible, act with reciprocity to distribute the results of its 


Department of 
Homeland Security 


• Information and Telecommunications 

• Transportation (aviation, rail, mass transit, waterborne commerce, pipelines, and highways 




Avoid Regulation 

In order to engage the private sector fully the Federal government recog- 
nized that participation by owners and operators in the private-public 
partnership would have to be voluntary. To encourage maximum partici- 




(including truclcing and intelligent transportation systems)) 

• Postal and Shipping 

• Emergency Services 

• Continuity of Government 




pation by the private sector in this partnership, the U.S. Government, to 


Treasury 


• Banlcing and Finance 




t the extent feasible, has sought to avoid outcomes that increase govern- 
■■ '^. ment regulation or expand unfunded government mandates to the 
sS^Jy private sector. Accordingly, the government has relied on the incen- 


Health and Human Services 


• Public Health (including prevention, surveillance, laboratory services, and personal health services) 

• Food (all except for meat and poultry) 




/^.'i^Ji fives that the market provides as the first choice for addressing 
I^^^V^^S^^ the problem of critical infrastructure protection, and would 

^ ''^'■^"-^■^^^^it. °^ market to protect the health, safety, or well- 




• Energy (electric power, oil and gas production, and storage) 




Protection Agency 


• Water 

• Chemical Industry and Hazardous Materials 




^_"_'^:(^^^^^-L^^;5o^^^^^^^^^A^ 


Agriculture 


• Agriculture 

• Food (meat, and poultry) 






• Defense Industrial Base 










Designation of Coordinating Agencies 

To facilitate and enhance coordination and communication be 
Federal government and the private sector upon which effecti' 
ship depends, the government has designated a "Lead Agency" for 
of the major sectors of the economy vulnerable to infrastructure 
The designated lead agencies, and their sector counterparts, are listed 
the table on the previous page. In addition, the Office of Science and 
Technology Policy (OSTP) coordinates research and development to 
support critical infrastructure protection. The Office of Management ar 
Budget (0MB) is responsible for the development and oversight of the 
implementation of governmentwide poll 

guidelines for Federal government computer security programs. The State 
Department is responsible for coordinating 
cybersecurity. The Director of Central Intelligence is responsible for 
assessing the foreign threat to the United States networks and informa- 
tion systems. The Department of Justice and the Federal Bi 
Investigation (FBI) lead the national efforts in investigati 
prosecuting cybercrime. 
Working together, the sector representati 



le to change rapidly, the 
nfrastructures and employ 

istly adaptive. Finally in keeping with the partner relationship 
3rity, capabilities and resources of the government, including 
nent, regulation, foreign intelligence and defense prepared- 



Guiding Strategic Principles 

The National Strategy to Secure Cyberspace is the sum of the effor 
individuals, groups, and institutions from around the country The e 
point of these efforts is to create a secure, trusted, robust, reliable, 
available infrastructure to support America's economy, national sec 
and critical services for the foreseeable future. 
Cyberspace is a complex network that connects diverse infrastructures, 
enterprises, and nations. These connections occur over multiple paths 
owned by many different operators. Securing this network does not mean 
ensuring that no one element or connecting path is ever lost. Instead, it 
means ensuring that the network is resilient in the face of disruption or 
losses, that paths may be replaced by others, and that network elements 
are redundant and difficult to permanently disable. The security of indi- 
vidual elements within cyberspace, and their continued evolution with 
changing conditions, creates this resiliency. 




DRAFT 



HIGHLIGHTS 



in summarizes and provides a frameworl< for the rest of the 
It highlights in one place the most important recommenda- 
tions that will be discussed in later sections. 



The security of cyberspace depends vitally on all owners of the nation's 
cyber infrastructure, from the home user to the Federal government. Each 
individual and organization has a responsibility to secure its own portion 
of cyberspace. The Strategy is designed to empower each person and 
each organization to do its part. It provides a roadmap for how to achieve 
cybersecurity and provides tools to better empower all Americans to do so. 
To create this strategic roadmap, the owners of each major component of 
cyberspace have been developing their own plans for securing their 
portions of the infrastructure. Some of these plans are already developed 
and are contained in this document. Others will be added over time. 
Together they will reflect a national partnership between private sectors, 
government, and individuals to vigorously create, maintain, and update 
the security of cyberspace. 

The overall national strategic goal is to empower all 
Americans to secure their portions of cyberspace. This strategic 
goal will be accomplished through six major tools for empowering people 
and organizations to do their part: 

1 . Awareness and Information: Educate and create aware- 
ness among users and owners of cyberspace of the risks and 
vulnerabilities of their system and the means to mitigate 



Tools: Produce new and more secure tech- 
nologies, implement those technologies more quickly, and 
produce current technologies in a more secure way. 
3. It-aining and Education: Develop a large and well-qualified 
cybersecurity workforce to meet the needs of industry and 
government, and to innovate and advance the nation s secunty 




j: Improve Federal cyber 
curity to make it a model for other 
increasing accountability; implementing best prac- 
tices; expanding the use of automated tools to 
continuously test, monitor, and update security 
practices; procuring secure and certified products 
implementing leading-edge training 
and workforce development; and deterring and 
preventing cyber attacks. 

6. Coordination and Crisis Management: 

Develop early warning and efficient sharing of 
informati 

!d quickly 

and responded to efficiently. 

1 of this Strategy, the reader will find 
all of these themes reflected in two ways. First, the intro- 
duction to each section lays out the strategic goals for that 
audience or level of the Strategy Second, each section highlights ongoing 
programs, recommendations, and topics for discussion that will serve to 
develop the strategic goals. 



)rting ac 



Dnal Strategy, the rej 
and numerous questions and topics for debate. It will be the goal 
^deral government to help facilitate the evolution of these discus- 
that they become recommendations. Recommendations will 
1 turn, and some will become initiatives of individuals, organiza- 
government. 



Summary of Recommendations by Section 

The National Strategy calls for actions at all levels and across all sectors. 
Some of the major strategic innovations called for in this document are 
highlighted below. A detailed discussion of each of these innovations is 
included in the pages that follow. 
Awareness and Information 

The Strategy identifies the need for increased awareness about the vulner- 
ability of America's cyber infrastructure and provides information that 
each person, company, organization, and agency can use to help make 
cyberspace more secure. It recommends: 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 




velop plans to 
mjunction with programs 

imulation and Analysis 



develop these workers. 



States should consider creating Cyber Corps scholarship-for- 
sen/ice programs at State universities, to fund the education of 
undergraduate and graduate students specializing in IT security 
who are willing to repay their grants by working for the states. 
The existing Federal Cyber Corps scholarship-for-sen/ice program 
should be assessed for possible expansion to additional universi- 
ties, with both faculty development and scholarship funding. The 
program could also add a faculty and program development 
effort with community colleges. 

The CIO council and relevant Federal agencies should consider 
establishing a "Cyberspace Academy," linking Federal cybersecu- 
rity and computer forensics training programs. 
IT security professionals, associations, and other appropriate 
organizations should explore approaches to and the feasibility of 
a nationally recognized certification program, including a contin- 
and retesting program. The Federal government 
he establishment of such a program, and, if it is 
ing that Federal IT security personnel be 

'ly certified. 



The Strategy recognizes that all Americans have a role to play in 
cybersecurity, and identifies the market mechanisms for stimulating 
cyberspace. It recommends: 
• CEOs should consider forming enterprisewide corporate security 
councils to integrate cybersecurity, privacy, physical security, and 
operational cc 




• State and local governments should consider establishing IT secu- 
rity programs for their departments and agencies, including 

ts, and standards. State, county, and municipal 
Id provide assistance, materials, and model 

providers, beginning with major ISPs, should 
ig a "code of good conduct" governing their 
actices, including their security-related coopera- 



way exchange of 
• Colleges 



!d cyberspace security. 



i universities should consider establishing together; 
ore information sharing and analysis centers (ISACs) 
sal with cyber attacks and vulnerabilities; (b) model guide- 
empowering Chief Information Officers (ClOs) to address 
rsecurity; (c) one or more sets of best practices for IT secu- 
programs and materials. 




DRAFT 




DRAFT 



LEVEL 2: 

LARGE ENTERPRISES 



The strategic goal is to encourage and empower large enterprises to 
establish secure systems. This goal can be achieved through a range of 
voluntary initiatives including: 

• raising the level of responsibility; 

• creating corporate security councils for cybersecurity where 
appropriate; 

• implementing A.C.TI.O.N.S. (defined in the table, infra) and best 
practices; and, 

• addressing the challenges of the borderless network, mainframe 
security, instant messaging and other technologies. 

Issues and Challenges 

The development of a resilient cyber infrastructure that supports the long- 
term economic development of the nation depends in large part on the 
security of large enterprises. Large enterprises do not operate in isolation. 
Rather, they provide a constant flow of data that helps to drive the U.S. 
economy. Resiliency enables the nation to protect, detect, respond, and 
recover from cyber-based attacks. Developing this essential economic 
attribute is a collective challenge that can only be achieved through the 
corporate actions of large enterprise operators. 

Large enterprises can play a unique role in developing this resiliency by 
ensuring that security is an integral component of their individual archi- 
tectures, network operations, and management. The massive networks 
that facilitate the transactions of the U.S. economy constitute both our 
strength and our vulnerability 



The ec 



impany Rather such events car 

compromise intellectual property and sensitive research that can lead to 
long-term macroeconomic ioss. Moreover, security breaches can place 
customer data at risk and erode confidence and trust in an enterprise an 
its affiliates. Cyber vulnerabiiities can significantly damage large enter- 
exploited to harm other systems outside the enterprise and even infra- 



DRAFT 



:e complicate the provision and management of 
enterprisewide security Cybersecurity is a moving and dynamic target. 
There is no one-size-fits-all solution, or special technology that will make 
an enterprise secure. In fact, 100 percent security is not a possibility in 
today's interconnected environment. 

Ultimately, addressing cybersecurity within an enterprise is more than a 
technical problem, it is a management challenge. The scope of the risks 
presented by cybersecurity can be effectively managed by engaging senioi 
leadership and by involving the corporate board of directors. 
Cybersecurity may warrant close attention from the board of directors. 
Considering security only after an incident has occurred places the busi- 
ness, the customers, and even the country at risk. In contrast, effective 
governance of cybersecurity promotes growth, productivity and share- 
holder confidence. 

Discussion of Strategy 

Raise the Level of Responsibility 

The board of directors plays a vital role in the corporate system. 
Shareholders ultimately own corporations. Corporate boards are account- 
able to shareholders, and, in turn, managers are accountable to the 
board. Raising the responsibility for cybersecurity to the level of the board 
of directors can have significant enterprisewide results. The board can 
better understand its enterprise by asking a series of questions about the 



Questions corporate boards, financial 
analysts and investors should ask: 



How often do the CEO and COO review IT 




sufficiency of the organization's security structure and controls. To better 
understand the scale, scope, and effectiveness of enterprise cybersecurity 
some boards, through an appropriate board committee, require periodic 
reporting by management. 

The U.S. Department of Commerce uses its Critical Infrastructure Assurance 
Office (CIAO) as its lead office to partner with the private sector to help 
promote the importance of information security management and assurance 
to senior managers and directors. The CIAO has been working with the 
Institute of Internal Auditors (HA) to help raise awareness about critical 
infrastructure protection in the context of a large enterprise. The IIA 
teamed with the National Association of Corporate Directors, the 
American Institute of Certified Public Accountants, and the Information 
Systems Audit and Control Association to host a series of informative 
summits across the country. These highly successful events heightened the 
awareness of corporate directors and top managers of their key role in 
safeguarding the information assets of the organizations they oversee. 
Towards a Corporate Security Council 

Today's diffuse security threats require new thinking and approaches. For 
example, some large enterprises may want to consider creating a corpo- 
rate security council consisting of key members of the company with 
security-related responsibilities. Corporate officials with risk management 
and security-related responsibilities could form the core of such a team. 
These officials may include: 



• The Chief Operating Officer (COO); 

• The Chief Information Officer (CIO); 

• The Chief Technology Officer (CTO); 

• The Chief Information Security Officer (CISO)/ 
Chief Security Officer (CSO); 

• The Chief Risk Officer (CRO); 

• The Privacy Officer; and, 

• The official responsible for physical security 

These officials can coordinate preparedness plans to ensure that cyberse- 
curity is factored into the operations of the enterprise. Because a failure in 
cybersecurity can compromise intellectual property customer data, and 
business operations, it is important that the key decision makers and tech- 
nical officials are brought together Furthermore, they can advise the CEO 
in a crisis and coordinate the execution of their contingency and conti- 
nuity plans in response to cybersecurity incidents. The resiliency of large 
enterprises contributes directly to resiliency of the macro economy and 
ultimately the nation. 
A.C.T.I.O.N.S. and Best Practices 

There are a wide range of A.C.TI.O.N.S. that can be undertaken to 
facilitate the integrity reliability, availability, and confidentiality of the 
enterprise. (Figure L2-1) 



A.C.T.I.O.N.S. AND BEST PRACTICES 



Authentication 
Configuration management 

Training 

Incident response 
Organization networl< 
Networi( management 

Smart procurement 



e, operating systems and software are in use, including specific versions and patches applied; create robust access 
ware change controls, segregate responsibilities; implement best practices; and, do not use default security settir 



capability for respondinc 



) supplement these efforts, 
iss operations and the systems 



DRAFT 



The Borderless Network 

One of the most dramatic challenges to enterprise security is the border- 
less corporate network. The rapid adoption of networking and 
business-to-business (B2B) commerce has eroded the once well-defined 
borders of corporate networks. Today's enterprises are so interconnected 
that when enterprises take on joint ventures they may end up with virtual 
insiders. Virtual insiders are the people connected to a network that the 
owner does not know are there. These connections are not recorded in 
the enterprise management plan and can often result when a contractor 
grants access to a subcontractor. Ubiquitous connectivity is driving funda- 
mental changes in the approaches to enterprise security management. 
These changes are, in turn, requiring new research, tools, and 
approaches. 

Mainframe Computers 

Mainframe computers continue to play important roles in large enter- 
prises. However, security policies and practices tend to focus on desktop 
computers, network servers, network devices, the Internet, and pereasive 
computing devices - to the exclusion of mainframe computers. 
Mainframe security personnel have been redeployed or recruited toward 
new opportunities. Advances in mainframe technology and connection to 
the Internet have created new risks and vulnerabilities rendering existing 
mainframe security policies and practices obsolete. Furthermore, the 
frequency and rigor of qualified mainframe audits have deteriorated to 
the point they are no longer capable of identifying these threats. 
Organizations and government agencies must refresh their security 
polices, practices and technologies as vigorously as elsewhere or risk 
exploitation from new threats. 



disruption, and loss of data. Effectively mitigating the 
insider threat requires policies, practices and continued training. 
Three common policy areas which can reduce insider threat include: 
(1) access controls, (2) segregation of duties, and (3) effective policy 
enforcement. 

• Poor access controls enable an individual or group to inappropri- 
ately modify, destroy, or disclose sensitive data or computer 
programs for purposes such as personal gain or sabotage. 

• Segregation of duties is important in assuring the integrity of an 
enterprise's information system. No one person should have 
complete control of any system. Failing to properly segregate the 
computer duties of an organization's staff can dramatically 
increase the risk of errors or fraud. 

• Effective enforcement of an enterprise security policy can be 
challenging and requires regular auditing. New automated soft- 
ware is beginning to emerge which can facilitate efficient 
enforcement of enterprise security. These programs allow the 
input of policy in human terms, translation to machine code, and 
then monitoring at the packet level of all data transactions 
within, and outbound from, the network. Such software can 
detect and stop inappropriate use of networks and cyber-based 



Instant messaging (IM) programs present another point of vulnerability to 
large enterprise systems. For example, IM programs can by-pass firewalls 
and antiviral scanners allowing malicious code, unauthorized intruders, 
and valuable data to covertly move in and out of enterprise systems. 
Enterprises should adjust their computer security polices to appropriately 
account for the risk presented by IM programs. 
Insider Threats 

Approximately 70 percent of all cyber attacks on enterprise systems are 
believed to be perpetrated by trusted "insiders." Insiders are trusted 
people with legitimate access rights to enterprise information systems 
and networks. Such trusted individuals can pose a significant threat to the 
enterprise and beyond. The insider threat can arise from the intentional 
malice of a disgruntled employee or accidentally from the poor security 
practices of a careless or unaware employee. Whether the threat is 
intentional or accidental, the results are often the same — damage. 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 



LEVEL 3: 

THE FEDERAL GOVERNMENT 



The Federal government's strategic goal is to significantly improve the 
cybersecurity' of Federal information and information technology To 
achieve this goal, each agency will be expected to create and implement 
the following formal three-step process to achieve greater security: 
• step one — identify and document enterprise architectures; 



branch Information 



urity enhancements; 



• explore whether specific criteri 
and reviewers are necessary ar 
is necessary. 




Issues and Challenges 



al government is the collective responsibility of its 
IS. Accepting anything less than excellence in 
places the nation and the American people at risk. 



Historically, the Federal government did n 
systemically; instead, it often merely "taci 
thought — reacting to threats, vulnerabiliti 



; — implement security controls and remediation efforts 
and manage those risks. 

St the individual agencies in implementing the tore- 
Tiplemented under the Federal government IT security 



:y, 0MB es 



:d by la' 



rity program, a 

oversight of Federal agency cc 
program is based on a cost-effective, risk-based approach. Agencies must 
ensure that security is integrated within every investment. This approach is 
designed to enable Federal government business operations, not to 
unnecessarily impede those functions. 

Federal Government IT Security Remediation Process 

A key step to ensure the security of Federal information technology is to 
understand the current state of the effectiveness of security and privacy 
controls in individual systems. Once identified, it is equally important to 
maintain that understanding through a continuing cycle of risk assess- 
ment. This approach has long been suggested by the General Accounting 
Office, is reflected in 0MB security policies, and is featured in the 
Government Information Security Reform Act of 2000 (GISRA). 
0MB is responsible for the development and oversight of the implementa- 
tion of govern mentwide policies, principles, standards, and guidelines for 
Federal government computer security programs. Within a statutory 
framework, 0MB issues security policies and ensures that security is 
appropriately integrated with capital planning and budget guidance. 
Oversight is achieved largely in the following ways: via the budget and 
capital planning process, independent program reviews, annual agency 
program reviews, independent Inspector General (IG) evaluations, agency 
reports to 0MB, agency security corrective action plans, and an annual 
0MB report to Congress. 




perform annual independent evaluations of an agency's security program 
and a subset of systems. These reviews and evaluations, along with other 
applicable security reviews, identify an agency's security performance 
gaps. To ensure that those gaps are addressed, agencies are required to 
develop corrective action plans for every system and program where a 
weakness was found. Corrective action plans for agency systems are tied 
directly to each agency's funding request for the system — 0MB funding 
approval for systems is contingent upon correction of outstanding security 
weaknesses. Additionally, agencies must ensure that security has been 
incorporated and security costs reported for every IT investment through 
the Federal capital planning process. 0MB policy stipulates that specific 
lifecycle security costs be identified, built into, and funded as part of each 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 




2. Lack of performance measurement. 

Agencies must be able to evaluate the performance of officials 
charged with implementing specific requirements of GISRA. To 
evaluate agency actions, agencies must measure job and program 
performance, i.e., how senior leaders evaluate whether respon- 
sible officials at all levels are doing their jobs. They must be able 
to evaluate the performance of officials charged with securing 
agency operations and assets. Virtually every agency response 
regarding performance implies that there is inadequate account- 
ability for job and program performance related to IT security. 

3. Poor security education and awareness. 

Agencies must improve security education and awareness. 
General users, IT professionals, and security professionals need 
to have the knowledge to do their jobs effectively before they 
can be held accountable. 

4. Failure to fully fund and integrate security into capital planning 

Security must be built into and funded within each system and 
program through effective capital planning and investment control. 
As 0MB has done for the past two years in budget guidance. 
Federal agencies were instructed to report on security funding 
to underscore this fundamental point. Systems that do not inte- 
grate security into their IT capital asset plans will not be funded. 

5. Ensuring that contractor sen/ices are adequately secure. 
Agencies must ensure that contrador sen/ices are adequately 
secure because most Federal IT projects are developed and many 
operated by contractors. Therefore, IT contracts, including those 
for telecommunications, need to include adequate security 
requirements. Many agencies reported no security controls in 
contracts or no verification that contractors fulfill any require- 
ments that may be in place. Additionally, the 0MB report 
discusses pen/asive security flaws found in many of today's 
commercial software products. These flaws go well beyond 
security to the very performance of the products themselves, 
and it is time to address this problem at a national level. 

6. Failure to detect report, and stiare information on vulnerabilities. 
Far too many agencies have virtualiy no meaningful system to 
test or monitor system activity; therefore they are unable to 
detect intrusions, suspected intrusions, or virus infections. This 
places individual agency systems and operations at great risk 
since response depends on detection. Perhaps most significant is 
not detecting and reporting IT security probiems couid cause 
cascading harm. America's vastly inter-networked environment 
also means shared risk with the best security being only as 
strong as the weakest link. 



Early warning for the entire Federal community starts first with detection 
by individual agencies, not incident response centers at the FBI, GSA, 
DOD, or elsewhere. The latter can only know what is reported to them, 
reporting can only come from detection, and guidance for correaive 
action depends upon both. This need is thus not a technical one, but a 
management one. Additionally, it is critical that agencies and their 
components report all incidents in a timely manner to GSA's Federal 
Computer Incident Response Center and appropriate law enforcement 
authorities, such as the FBI's National Infrastructure Protection Center, as 
required by GISRA. 

Additional issues and challenges have also been identified: 
Authentication: Key to Cybersecurity 

Intruders gaining access to systems by pretending to be the authorized user 
can do immense harm. As described in NIST's "Introduction to Computer 
Security" — ^The NIST Handbook (located at wvvw.csre.nist.gov/), there 
are three basic means to ensure the identification and authentication of 
users— applying something the user knows (password), applying something 
the user has (token or smart card), and applying something the user is 
(biometric information). The weakest and most commonly used method of 
identification and authentication is applying something a user knows. 
Why is it the weakest? Because would-be intruders (and auditors) often 
successfully discern passwords through both pretext conversations with 
unsuspecting users and relatively simple technical means. 
If an intruder were to obtain the password of an agency employee, he 
would gain the same trusted privileges as the employee and could 
operate behind the firewall, use and interfere with system resources, and 
gain real-time access to sensitive data. What is more, the intruder might 
also have access to other systems in the domain. 

If the victim employee had administrator or super-user privileges, the 
intruder would likewise acquire those privileges and could have unlimited 
access to the entire network and the information on it. What is worse, the 
intruder could acquire valuable information and an understanding of system 
weaknesses, escape without detection, perhaps share what they have 
learned with others, and return another day to inflict even greater damage. 
Inconsistent Contingency Planning 

Among the lessons learned from security reviews following the events of 
September 1 1, was that Federal agencies had vastly inconsistent, and in 
most cases incomplete, contingency capabilities for their communications 
and other systems. Contingency planning is a key element of cybersecu- 
rity. Without adequate contingency planning and training, agencies may 
not be able to effectively handle disruptions in service and ensure busi- 
ness continuity. Continuity plans cannot simply be written and placed on 
the shelf. These plans must be tested on a regular basis to ensure that 
agency employees are fully aware of their roles and responsibilities. 



DRAFT 



Discussion of the Strategy 



Agency-Specific Measures 

In order to fully realize the intent of GISRA, the Federal government nr 
have a comprehensive and cross-cutting approach to improving cyber; 
curity. Clearly, cybersecurity is not a "one-size-fits-all" solution. Howev 
there are three elements that are central to attaining and maintaining 
robust cyber security for the Federal government. These include: 
• identifying and documenting enterprise 



Step One — Identify and Document Enterprise Architectures. 

As a matter of 0MB policy, each agency must identify and document their 
enterprise architecture, including developing an authoritative inventory of 
all operations and assets, and all agencies IT systems, critical business 
processes, and their inter-relationships with other organizations. This will 
produce a govern mentwide view of critical security needs. The Federal 
government is now integrating 0MB and Federal CIO Council govern- 
mentwide enterprise architecture activities and the Critical Infrastructure 
Assurance Office's Project Matrix efforts. The integration is intended to 
better identify and document agency and cross-government core 
processes, areas of unnecessary duplication, and areas where planned 
redundancy is lacking. Modeling and evaluating potential implications of 
threats and vulnerabilities on cross-agency business processes will also 
benefit from the integration efforts. 

Step Two — Continuously Assess Threats and Vulnerabilities, 
and Understand the Risks they Pose to Agency Operations 
and Assets. Commercial automated auditing and reporting mechanisms 
are now available to validate the effeaiveness of the security controls 
across a system and are essential to continuously understand risks to 
those systems. Some, but not all, civilian agencies have taken steps to 
increase the use of these automated tools. More agencies need to do so. 
Therefore, the Federal government will drive the greatly expanded use of 
effective automated tools to detect intrusions, conduct periodic vulnera- 
bility assessments, actively manage and preempt threats, and continuously 
audit the security posture of information technology systems. (See recom- 
mendation R3-5.) 

As agencies expand their use of automated tools, the Federal government 
will consider whether benefits derive from consolidated acquisition, oper- 
ation, and management of those tools. One possible approach, but 
certainly not the only one, could be to centrally deploy and manage them 
from FedCIRC. Such consolidation could standardize and automate 



:urity report to Congress. 

Automated tools on agency networks could continuously assess system 
vulnerabilities, collect and analyze firewall and intrusion detection audit 
logs, audit configuration and security policy controls, and automatically 
report the results to FedCIRC. Automated tools can be helpful in 
analyzing data, providing forward-looking assessments, and alerting agen- 
cies of unacceptable risks to their operations. 

At the same time however, it is important that individual agencies and 
program officials within them continue to take responsibility and be held 
accountable for the security of the operations and assets under their 
control. Separating responsibility and accountability sends the incorrect 



carefully cc 



sidered before being adopted. (See 



n R3-3) 



Step Three — Implement Security Controls And Remediation 
Efforts To Reduce or Manage Those Risks. The implementation of 
security controls that maintain risk at an acceptable level and test the 
controls to ensure that they continue to be effective can often be accom- 
plished in a relatively brief amount of time. However, the remediation of 
vulnerabilities is a much more complex challenge. Software is constantly 
changing and each new upgrade can introduce new vulnerabilities. As a 
result, vulnerabilities need to be assessed continuously. Remediation often 
involves "patching," or installing pieces of software or code that are used 
to update the main program. The remediation of Federal systems must be 
planned in a consistent fashion. In addition, the Federal government 
should explore more secure network protocols as they develop and assess 
how their adoption and implementation could benefit agency operations. 
When it is shown that such secure protocols can have a cost-effective 
benefit on agency operations, the Federal government should lead in 
adopting and implementing them. 

Identifying and Authenticating Users and Maintaining 



Through the electronic government e-Authentication initiative and other 
means, the Federal government is promoting a continuing chain of secu- 
rity for all Federal employees and processes, including the use where 
appropriate of biometric smart cards for access to buildings and 
computers, and authentication from the moment of computer log on. The 
benefits of such an approach are clear To establish and maintain secure 
system operations, organizations must ensure that the people on the 
system are who they say they are and are doing only what they are 
authorized to do. 



Identifying and authenticating each system user is the first link in the 
system security chain, and it must take place whenever system access is 
initiated. Many authentication procedures used today are inadequate and, 
even correctly configured passwords can often be obtained from users. 
However, as GAO and others frequently report, passwords are not being 
changed from the system default, are often incorrectly configured, and 
are rarely updated. 

By promoting multi-layered identification and authentication — the 
combined use of strong passwords, smart tokens, and biometrics — the 
Federal government will eliminate many significant security problems that 
it has today Through the ongoing e-Authentication initiative, the Federal 
government will review the need for stronger access control and authenti- 
cation; explore the extent to which all departments can employ the same 
physical and logical access control tools and authentication mechanisms; 
and, consequently, further promote consistency and interoperability 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 



System Configuration Management 

Using the Board's Executive branch Information Systems Security 
Committee and the governmentwide architecture development activities, 
OMB is exploring ways to promote greater uniformity of systems 

throughout the Federal enterprise, and to simplify and unify security 

processes to increase efficiency and effectiveness. 



irough the budget 



fcially av 



ensuring the ac 

configuration. As discussed in the Federal CIO Council's "Practical Guide 
to Federal Enterprise Architecture," configuration management is critical 
to an architecture maintenance program. See the CIO Council's "Guide" 
at www.itpoiicy.g5a.gov/mice/a1xhpius/ea_guide.dac. 

The guide also describes the need for periodic configuration audits as an 
architecture control feature. Automated tools are now widely available 
commercially to perform such audits. Configuration control has incidental 
and important benefits to security, i.e., controlling system configuration 
permits agencies to more effectively and efficiently enforce policies and 
permissions and more easily install antivirus definitions and other software 
updates and patches across an entire system or network. 




Improved Security in Government Outsourcing and Procurement 

Through a joint effort of OMB's Office of Federal Procurement Policy, the 
Federal Acquisition Regulations Council, and the Executive branch 
Information Systems Security Committee, the Federal government is iden- 
tifying ways to improve security in agency contracts and evaluating the 
overall Federal procurement process as it relates to security. Agencies 
maintaining the security of outsourced operations was one of the key 
weaknesses identified in OMB's February 2002 security report to Congress. 
Additionally the Federal government is conducting a comprehensive 
review of the NIAP to determine the extent to which it is adequately 

implementation of the Department of Defense's July 2002 policy requiring 
the acquisition of products reviewed under the NIAP or similar evaluation 
processes. That policy stipulates that if an evaluated product of the type 
being sought is available for use, then the DOD component must procure 
such evaluated product. If no evaluated product is currently available, the 
component must require prospective vendors to submit their product for 
evaluation to be further considered. 

Following this program review, the government will evaluate the cost- 
effectiveness of expanding the program to cover all Federal agencies. If 
this proves workable, it could both improve government security and 
leverage the government's significant purchasing power to influence the 
market and begin to improve the security of all consumer information 
technology products. The Federal government recognizes that past efforts 
such as this have failed, but believes that the heightened level of govern- 
ment and consumer concerns over significant flaws in information 
technology products warrants renewed efforts. 

Framework for the Strategy 

Hold Agencies Accountable 

Since the beginning of his Administration, the President has called for 
better management of the Federal government. Beginning with his 
Budget Blueprint in February 2001, continuing in the FY 2002 and 2003 
budgets, and in his Management Reform Agenda, the President has 
repeatedly spelled out a clear agenda for government reform. The 
President has ordered the pursuit of five governmentwide initiatives that 
together will help government achieve better results. See www.white- 
house.gov/omb/budget/fy2002/mgmt.pdf. Because much of what 
is required to develop and sustain an effective security program is a solid 
management foundation, the Federal government is using the President's 
Management Agenda to build that foundation and drive the reform of its 
security program. 



government more productive. The National Strategy to Secure Cyberspace 
complements these efforts by making sure that the E-Government initia- 
tive ("E-Gov"), and the infrastructure it relies upon, are secure. The 
Federal government will then be better able actively to anticipate threats 
and vulnerabilities, preempt them where possible, and survive them when 
preemption is not possible. In this way, the Federal government will set an 
example for all owners and operators of the nation's cyber infrastructure. 

To achieve this standard of performance, good intentions and good 
beginnings are not the measure of success. Rather, the government will 
require demonstrated performance and results. In order to ensure 
' and measure performance in cyber security, the 
listration will do three things: 

• Analyze Empirical Evidence of Agency Performance to Evaluate 
Compliance. GISRA required the Federal agencies to perform an 
annual independent evaluation of their information security 
program and practices. The results of these evaluations are 
reported to OMB. These reports include an accounting of all 
security weaknesses in agency systems and programs and a 
detailed corrective action plan with milestones and timelines. 
These reports are tied to the budget process and agency 
information technology funding requests to OMB must account 
for the [ifecycle costs for security or they will not be approved. 
OMB uses this data to score the agencies' security performance. 
The first round of security reporting is reflected in OMB's 
February 2002 security report to Congress. See www.white- 
house.gov/omb/inforeg/fy01securityactreport.pdf. 

• Chart Agencies Progress Using the Management "Scorecard. " For 
each of the President's Management Agenda initiatives, OMB has 
adopted an Executive branch management "scorecard" 
— a simple "traffic light" grading system common today in 

IS. Green indicates success, and yellow 
lin the E-Gov "scorecard," OMB 



• Base Agency Funding Decisions 01 
Performance. Over the next three years the Federal government 
will likely spend approximately $20 billion on IT security — 
including research and development. OMB will continue to use 
both the "scorecard" and the GISRA security reporting to inrorm 
budget decisions for agency requests for information technology. 
OMB policy is clear: requests for information technology will not 
be funded or resources will be reallocated if the agency has 
shown poor security performance or if it has not included secu- 
rity requirements in the life-cycle costs for each investment. See 
OMB's security investment policy, www.whitehouse.gov/ 



BERSPACE 



DRAFT 



'ill help to ensure that each agency does its part to 
improve and maintain the overall Federal government security posture by 
developing and maintaining a solid security management foundation 
upon which operational and technical security controls are built. This 
management foundation includes assigning clear and unambiguous 
authority and responsibility for security, holding officials accountable for 
fulfilling those responsibilities, and integrating security requirements into 
budget and capital planning processes. 

Establish an Office of information Security Support Services 

The "build once, use many" approach demands a central organization to 
manage and finance some of the initiatives. Moreover, the increasing 
complexity of information technology security is placing significant pres- 
sure on many (especially small) agencies to effectively address their 
security requirements. For the civilian agencies, an office in the proposed 

function. Operating under 0MB oversight, this office could include 
resources from other agencies and could assist the agencies, 0MB, NIST, 
the CIAO, and others in meeting their responsibilities. (See recommenda- 
tion R3-9.) 

Federal Cyber Incident Response Plan 

The Incident Response Committee of the President's Critical Infrastructure 
Protection Board is developing a cyber annex to the Federal Response 
Plan (FRP) maintained by FEMA (www.fema.gov/rrr/frp/ 

frpintro.slitm). The FRP establishes a process and structure for the 
systematic, coordinated, and effective delivery of Federal assistance to 
address the consequences of any major disaster or emergency declared 
under the Robert T Stafford Disaster Relief and Emergency Assisi.tiK c 
Act, as amended (42 U.S.C. 5121, ef. seq.). The cyber annex will identify 
lead agency roles, authorities, and policy governing Federal cyiu^r 
response in the event of a large-scale cyber threat or attack. Tne .miK^x 
will have a supplement with a comprehensive contingency plan detailing 
the Federal government's response to large-scale cyber incidents. 

A valuable by-product of the foregoing effort will be to evolve incident 
response capabilities toward greater efficiency and improved coordina- 
tion. An essential component of this enhanced capability is greatly 
improved analysis and warning, including moving from a retrospective 
view to a forward-looking one. The Federal government is also working 
to consolidate, and make uniform, agencies contingency and disaster 
recovery planning for their telecommunications networks and informa- 
tion systems. 

Security Preparedness Exercise 

To test the civilian agencies security preparedness and contingency 
planning, the Federal government is considering the use of a scenario 
based exercise to evaluate the impact of a threat on a selected 
cross-government business process. One such possibility could include 



entwide cybersecurity exercises. This approach 
) that employed in 1998 by the Department of 
own as "Eligible Receiver" and would be developed 
cooperation of each participating agency The exercise would 
most security disciplines — including physical, operations, infoi 
and systems. Among other 
that today's agency-specific 
systems do little to reveal how low probabi 
consequences on interconnected systems ai 
discovered will be included in agency GI5RA corrective 
recommendation R3-8.) 



Federal policy currently stipulates that each agency 
provide for the continuity of its operations including 
Such planning and service provision should be consistent 
government, and departments considering creating new capabil 
should examine cross-agency sharing arrangements. 

The Federal government will continue to assess the technical viability anc 
cost effectiveness of various options that provide 
operations during service outages such as VPNs, "| 
and others. (See recommendation R3-6.) 




With the growing emphasis on security comes the corresponding need 
for expert independent verification and validation of agency security 
programs and practices. GISRA and OMB's implementing guidance 
require that agencies' program officials and ClOs review at least 
the status of their programs. Few agencies have available person 
:hus they frequently com 

Agencies and 0MB have found that contractor security expertise 
widely from the truly expert to less than acceptable, 
independent verification and validation contractors a 
ness of providing security program implementation si 
program reviews may be biased towards their preferr 

id by the same agency 
annual GISRA program reviews. Even the perception of a conflict of 
should be avoided when evaluating the security of an agency 

The Federal government will explore whether private sector security 
service providers to the Federal 

meeting certain minimum capabilities including the extent to which they 
are adequately independent. The national security community has begun 
such certifications for security service providers working in that 




In addition to the efforts described earlier, the OMB-chaired Committee is 
reviewing a number of security issues that will promote greater benefits 
for securing agency business operations. To view the impact and effects 
of security policies on agency programs and bi 
;s officials from across a nun 
le Federal government, including Chief Information Officers, Chief 
nancial Officers, Inspectors General, Procurement Executives, small agen- 
m officials (business li 
officials, and budget officials. 

Among the Committee's current and planned activities are a gap analysis 
of current policies and processes, an evaluation of the viability of a 
governmentwide common methodology for grading risks, £ 
the desirability of developing uniform security practices or benchmarks for 
similar operations, assets, and systems. The latter two efforts reflect our 
"build once, use many" approach. 
Gap Analysis of Current Policies and Processes 

3s in the coverage of 

.or non-national st„ 

meet the needs of the departments and 
he level of detail and coverage and adequately 
security performance? The Committee is also 
listing policy development processes are efficient, 
ut from all relevant agencies and organizations, a 
a timely manner. Where improvement is needed the 
aiding appropriate recommendations. 



and other organizations and will determine whether a uniform sc 
under which all agencies grade risks is viable and desirable. The group has 
begun assessing whether a common methodology across the government 



In reviewing this issue, the Committee 
assumptions. First, all agency operations and ass 
security. Second, effective security demands an i 
acceptable level of risk. Third, the business requi 
tion within and across agencies, with industry, ai 
(especially in light of the September 1 1 terrorist 
and is complicated by differing approaches to gr 
uniform risk-grading process will assist agencies 
security controls. Fifth, a uniform risk-grading pr 
oping corresponding security requirements. 



The Committe 



ing or 



d above. The group will explore whether implementing, 
d monitoring security for operations that are similar across 
s and agencies will reduce costs and improve the security 



Several assumptions will also be tested in this area. First, many agency 
programs and IT operations are essentially the same (e.g., e-mail and web 
sen/ers, financial systems, general support systems or networks) and so 
too are the associated security requirements. Second, uniform security 
practices that consolidate in one place all applicable security policies and 
technical guidance would simplify and reduce costs for achieving the 
adequate level of security for similar activities. Third, uniform security 
practices are viable once uniform risk grading is in place. 
Cross-government Steps 

One of the goals for many of these efforts is to unify and simplify security 
programs and processes and build security consistency across the govern- 
ment. This "build once, use many" approach for governmentwide security 
is consistent with the approach used for E-Gov initiatives and OMB's guid- 
ance to the agencies for preparing their FY 2004 budget requests. That 
guidance states that OMB "will give priority consideration to IT invest- 
ments that leverage technology purchases across multiple entities." For 
more on OMB's FY 2004 budget guidance, see 
www.whitehouse.gov/onib/circulars/a11/01toc.html. 



DRAFT 



INFORMATION INTEGRATION AND 
INFORMATION TECHNOLOGY FOR 



A key goal to protect our r)ation's ir)frastructure is to er)sure 
that there is a national environment— addressing people, 
process, and technology— that enables the integration of 
essential information for combating terrorism among Federal, 
State, local, and private sector entities. We must put in place 
mechanisms that provide the right information to the right 
people all the time. With the use of information technology, 
homeland security officials throughout the United States will 
have complete and common awareness of threats and vulner- 
abilities, as well as knowledge of the personnel and resources 
available to mitigate those threats. Officials will receive the 
information they need from all levels of government and the 
private sector so that they can anticipate threats and respond 
rapidly and effectively. This information integration will 
better enable officials to protect the physical and cyber infra- 
structure, secure our country's borders, prevent biological or 
chemical attacks, and provide an effective first response to a 



Major Strategic Goals 



th State and local govern- 



• Drive national and international information integration and 

information delivery standards 

• Develop innovative service delivery models and business models 
ttiat enable government to use information held outside the 
government arena 




• Drive the integration of information essential to homeland 
security among and between Federal, State, and local govern- 
ment, and the private sector (vertical integration) 

• Guide the enablement of the National Strategy for Homeland 
Security through appropriate use of information technology 
capabilities, products. 



Major Risks to be Addressed 

• Maintaining privacy while enhancing security 

• Aligning policy and laws with desired outcomes 
diversity to achieve collaborative 

• Consolidating redundant or duplicative efforts 

• Overcoming political and cultural barriers 

• Ensuring appropriate security measures for new technology 



Security Enterprise 



• Implementation of a National Homeland Security Portal (Worid 
Wide Web site) 

• Consolidation of Federal "Watch-out" lists 

• Multi-State Sharing of Law Enforcement Information 
id Security 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 



LEVEL 3: 

STATE AND LOCAL GOVERNMENTS 



et strategic goals for achieving and 
itical information infrastructures from 
that would significantly diminish State 



al governments capacity to 



Issues and Challenges 

states provide services that make up the "public safety ne 
of Americans and their families. Services include essential 
activities as well as critical public safety functions, such as 
ment and emergency response services. States also own a 
critical infrastructure systems, such as electric power and 
transportation, and water systems. They play a catalytic role in bringing 
together the different stakeholders that deliver critical services within thi 
State to prepare for, respond to, manage, and recover from a crisis. 
Delivering critical services unique to their roles and responsibilities withir 
our Federalist system makes State government a critical infrastructure 

Many of these critical functions carried out by States are inexorably tied 
IT — including making payments to welfare recipients, supportinu i,m 
enforcement with electronic access to criminal records, and of 
State-owned utility and transportation services. Preventing cyber attacks 
and responding quickly when they do occur, ensures that these 24/7 
systems remain available and in place to provide important services that 
the public needs and expects. 

Information technology systems have the potential for bringing unprece 
dented efficiency and responsiveness from State governments for their 
residents. Citizen confidence in the integrity of these systems and the 
data collected and maintained by them is essential for expanded use an( 
capture of these potential benefits. 



Discussion of Strategy 



With an increasing dependence on integrated systems. State, local, and 
Federal agencies have to collectively combat cyber attacks. Sharing Infor 
mation to protea systems is an important foundation for ensuring 
government continuity. States have adopted several mechanisms that 
assist in sharing information on cyber attacks and in reporting incidents. 
These mechanisms are continually being modified and improved as new 
policy emerges and as technological solutions become available. In addi- 
tion. States are exploring options for improving information sharing bott 
internally and externally These options Include enacting legislation that 
provides additional funding and training for cybersecurity and forming 
partnerships across State, local, and Federal governments to manage 

Some mechanisms that many States are using to address cyber; 



• Goi/ernance Structure. Many States have an I 
nance structure that guides and enacts cyber: 
the State. Functions may include making poll' 
to the Governor or establishing a restoration priority list of agen- 
cies if multiple agencies are disabled concurrently In many cases, 
the cybersecurity board includes all branches of government and 
affected agencies. Additionally some States are including local 
governments in the governance structure, recognizing that local 

• Establishment of the Roles of the State Chief Information Officer 
(CIO) and Chief Information Security Officer (CISO). ClOs and 
CISOs oversee security policy and the implementation and main- 
tenance of critical information systems. 

• State Homeland Security Initiatives. Homeland Security Directors 
recognize that the States' cyber systems are at high risk for 
terrorist threats. With this in mind. States are shoring up networl 
infrastructure and implementing authentication and authoriza- 
tion processes for State information systems. State policymakers 
and technologists are making outreach efforts to the public to 
educate them on how to protect their own information systems 




Law Enforcement 

state and local governments play an important role in the emergency law 
enforcement sector. Emergency Law Enforcement Services (ELES), as a crit- 
ical infrastructure sector, is included within the emergency services sector. 
The continued operation of the ELES sector during a time of crisis is 
essential to the rule of law, the protection of the general welfare, the 
preservation of civil liberties and privacy rights, and consequence manage- 
More than 18,000 Federal, State, and local agencies comprise the ELES 
sertor Responses from more than 1,500 of these agencies to a sector- 
commissioned information systems vulnerability sureey reveal that these 
organizations have become increasingly reliant on information and 
communications systems to perform their critical missions. The threat 
against such systems continues to grow. Sector agencies also depend on 
other critical infrastructures, such as energy and telecommunications, 
which are also vulnerable to both cyber and physical disruption. 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPAC 



Research and Development 

Cybersecurity research and development (R&D) is another challenge 
sectors are addressing. Within sectors there are specific technical R&D 
challenges unique to each industry. These unique challenges are explained 
by each of the industries and can be found in their respective sector 
plans. Other R&D challenges are much more cross cutting and include 
issues such as vulnerability assessments guidelines and best practices for 
contingency planning. 
Education and Workforce Development 

Improving cybersecurity in the infrastructures depends on people. Senior 
management, technical personnel, and the employees in general all play 
important roles. As senior management develops an increased awareness 
of cybersecurity risks, they can set policy that promotes infrastructure 
security However, in order to implement the management policy infra- 
structures need to be able to hire well-trained technical people. Accessing 
the right technical people depends largely on educating and training. 
Finally, the security of sector depends on the average employee complying 
with the enterprise computer security policies. These three factors play a 
crucial role in improving cybersecurity in all of the infrastructures. 
Information Sharing and Analysis 

Industry and government are working together to improve information 
sharing and analysis efforts. Currently, the independent critical sectors are 
establishing mechanisms to share security information among their 
constituencies. Moreover, several continue to develop additional means 
through which they can share threat, vulnerability, countermeasure, and 
best practices information beyond their individual industries, across 

Public Policy and Legal Challenges 

During their own planning efforts, sectors have identified a variety of 
public policy and in some instance legal challenges that may impede their 
efforts in infrastructure protection and cybersecurity. The PCIS provides a 



International Issues 

Cyberspace security is an international challenge that is not bounded by 
any physical national boundary. The operations of multiple sectors cross 
international boundaries. As a result, global infrastructure sectors are initi- 
ating efforts to promote the availability, integrity, and reliability of their 
common information systems. 

Discussion of Strategy 

Fostering a Stronger Public-Private Partnership 

A successful public-private partnership requires trust. Trust cannot be 
legislated or mandated. Rather it is built over a period of time. The 
Federal government will continue to explore a variety of efforts to 
enhance and expand its partnership with the critical infrastructure sectors 
including improving coordination with the industry-led efforts for 
information sharing about cybersecurity. 
Information Sharing and Analysis Centers 

Information sharing and analysis centers (ISACs) play an increasingly crit- 
ical role in homeiand and cybersecurity An I5AC is typically an 

nating sector-specific security information. ISACs are designed by the 
various sectors to meet their respective needs and are financed by their 

Communications System is funded by the government.) iSACs work 
cioseiy with the Federal government through the Nationai infrastructure 
Protection Center (NiPC) to exchange data about threats and vulnerabili- 
ties; and through the CiAO for coordination and pianning efforts. The 
President's proposed Department of Homeiand Security would combine 
the NIPC, CIAO, and other Federal cyber centers to streamline information 
sharing and enhance infrastructure analysis. 

Establishing an ISAC requires tremendous cooperation within the sector 
and the establishment of a clear business model. While each ISAC is 
different, new and established ISACs must overcome a variety of chal- 
lenges. These challenges include improving business participation in the 
ISAC; enhancing the timeliness and effectiveness of threat information; 
and overcoming information sharing challenges. Several of the critical 
infrastructure sectors have either created or are now planning the devel- 
opment of their industry-specific ISACs. 



ISACs are developing and maturing across the various sectors including 
telecommunications, financial services, information technology, water, 
transportation, electric power, oil and gas, chemicals, food, State govern- 
ment, and more. Because they draw on the technical expertise of a given 
sector, the ISACs can facilitate the management and resolution of cyber- 
security incidents. 

In order to respond to future challenges, ISACs may need to be linked to 
government warning-and-analysis centers. As a result there are efforts 
underway to explore the benefits of linking ISACs to each other and to 
critical government centers. This could facilitate the timeiy fiow of critical 
infrastructure information and enhance crisis management efforts. 

As ISACs mature, so too will the national ability to respond and manage 
cyber incidents and attacks. In addition, the Federal government and 
ISACs could explore the challenges associated with infrastructure analysis 
and identify the methodologies and tools that might be needed to visu- 

If requested, the Federal government could, through the ISACs, provide 
technical assistance to develop contingency and crisis management plans 
for critical infrastructures. In addition. Federal, State, and local govern- 
ments could examine ways to coordinate response and recovery activities 
for significant disruptions that require actions beyond the capabilities or 
purview of individual companies. 




DRAFT 



and responsiveness to 

may require greater levels of funding in th 

as necessary to advance 




Securing Emerging Systems 

As new technologies are developed they introduce the potential for new 
security vulnerabilities. Wireless local area networks are an example of 
this. Though care was taken in developing these systems, their implemen- 
tation in an operating environment has highlighted some of their 
weaknesses. Today a person driving in a car around a city can log onto 
numerous networks without the knowledge of their owners. The intruder 
could steal information or launch attacks on those systems if he or she 
desires. With the addition of security mechanisms (such as password 
access requirements, address filtering, encryption, or using a virtual- 
private-network) these systems are much less susceptible to attack. Too 
often, however, such additions are not made due to complexity, cost, or 
time associated with setting them up. Intrusion is possible even when the 
manufacturer's security mechanisms are installed because the encryption 
can be broken. As new systems enter the market and become wide- 
spread, care must be taken to ensure that their security is adequate. 



longer term, developments in areas such as nanotechnology and quantum 
computing, amongst others, could reshape cyberspace and its security. 
The nation must be at the leading edge in understanding these technolo- 
gies and their implications for security 

The strategic goal is to address vulnerabilities that emerging technologies 
are introducing in cyberspace and determine how to eliminate, mitigate 
or manage the potential risk of these vulnerabilities. Achieving this goal is 
possible through efforts such as: 



and ease of use, evolving a new generation of secure wirE 
technologies, and addressing the security issues related to 
ad hoc networks and grid computing; and. 



Vulnerability Remediation 

New vulnerabilities emerge daily as use of software reveals flaws that 
criminals can exploit for malicious activity. Currently approximately 3,500 
vulnerabilities are reported annually Corrections are usually completed by 
the manufacturer in the form of a patch and made 
tion to fix the flaws. 
IVlany known flaws remain uncorrecte 

example, the top ten known vulnerabilities may account for the majority 
of the reported incidents of cyber attacks. This happens for multiple 
reasons. Many system administrators may lack adequate training or may 

w patch to see if it applies to their 
system. The software to be patched may affect a complex 
nected systems that take a long time to test before 
installed with confidence. If the systems are critical, it may be difficult to 
shut them down to install the patch. 

The strategic goal is to significantly improve the speed, coverage, and 
effectiveness of remediation in the near term by improving tools and prac- 
tices, and in the longer term by reducing vulnerabilities at the 
goal can be accomplished through the following strategic steps: 



consequences for security. The 




in applications, possibly 



• creating a neutral clearinghouse 
of the impact of patches on cc 
including test results; 



• developing and implementing improved coding techniques and 
quality assurance criteria to reduce the number of vulnerabilities 



)ercentage of software that 



:urity of cyber 
ie systems 

IS that help reinforce security 
addressing cybercrime, rules and bodies facilitating the sharing of 
mation, and organizations training and educating 
Adherence to fundamental principles, such as recognition of the role of 
market forces and the importance and centrality of maintaining privacy, 
help sustain the other enforcing mechanisms. The Strategy aims to foster 
a social and economic framework that accepts and reinforces security in a 
natural and sustainable way 



DRAFT 



The strategic goal for av 

cyberspace by creating an understanding at all audience levels of be 
cybersecurity issues and solutions. This can be accomplished by doing 
the following: 

building upon and expanding existing efforts to direct the aticn- 
'•on of key corporate decision makers (e.g., CEOs and members 

. of directors) to the business case for securing their 

ompanies information systems; 
• implementing plans to focus key decision makers in St 
local governments (e.g., governors. State legislatures, mayors, 
city managers, county commissioners/boards of superviso 
support investment in information systems security mi 
adopt enforceable management policie 



• elevating the exposure of cybersecurity issues and available 
ss by communicating through, and partnering with, Ic 
organizations, and primary and secondary schools. 



NATIONAL STRATEGY TO SECURE CYBERSPACE 



Training and Education 

To implement and maintain security, the nation needs a talented and 
innovative pool of citizens tliat are well trained. While the need for this 
pool has grown quickly with the expansion of the Internet and the pen/a- 
siveness of computers, networks, and other cyber devices, the investment 
in training has not kept pace. Universities are turning out fewer engi- 
neering graduates, and much of their resources are dedicated to other 
subjects, such as biology and life sciences. Though computer networks are 
widespread today, and the safety and security issues surrounding them 
are well known, few primary and secondary students are taught courses 
or modules on cybersecurity. This trend must be reversed if the United 
States is to lead the world with its cyber economy 
The strategic goals are: (1) to develop and sustain a well-trained, highly 
skilled, domestic corps of information technology (IT) security 
professionals sufficient for the nation's growing needs; and (2) to establish 
and maintain in the general population a basic proficiency in cybersecurity 
and cyber ethics. These objectives may be achieved through the following: 

• promulgating guidelines, developed by State and local govern- 
ments and private entities, covering cyber awareness, literacy 

training, and education, including ethical conduct in cyberspace, 

• expanding current programs to increase the number of four-year 
colleges and universities with high-quality IT security programs 
and increasing the opportunities for skills training in IT security 
through non-degree programs, vocational schools, junior 
colleges, and technical institutes; 



eating a national cybers 



cademy which wou 



• ensuring that opportunities exist for continuing education ar 
advanced training in the workplace to maintain high skills st 
dards and the capacity to innovate. 



Certification 

Related to education and training is the need for certification of qualified 
persons. Certification provides employers and consumers with greater 
information about the capabilities of potential employees or security 
consultants. Currently, some certifications for cybersecurity workers exist; 
however, they vary greatly in the requirements they impose. For example, 
some programs emphasize broad knowledge verified by an extensive 
multiple choice exam, while others verify in-depth practical knowledge on 
a particular cyber component. No one certification offers a level of assur- 
ance about a person's practical and academic qualifications, similar to 
those offered by the medical, legal, and accounting professions. 

The strategic goal is to develop a nationally recognized standard for certi- 
fication of information technology security professionals that could ensure 
consistent and competent assessment and maintenance of IT systems and 
networks. This may be accomplished by: 

• enhancing existing programs and developing new capabilities, 
where necessary, to create a peer certification standard for IT 
security professionals similar to accounting, medical, and law 
certification processes. Certification could include advanced 
degrees and a nationwide standards exam, administered by a 
professional organization, to certify IT consultants and to serve 
as a standard for those hired by private companies; 

• developing an accrediting body to verify that the various certifi- 
cation programs meet a minimum standard for System 
Administrator level and similar positions; and, 

• requiring such certification before the Federal government hires 
certain levels of IT professionals and, over time, for current 

Information Sharing 

The nation must be able to detect and analyze cyber incidents and 
attacks in a timely manner. The voluntary sharing of information about 
such incidents or attacks is vital to cybersecurity. Real or perceived legal 
obstacles make some companies hesitant to share information about 
cyber incidents with the government or with each other. First, some fear 
that shared data that is confidential, proprietary, or potentially embar- 
rassing may become subject to public examination when shared with the 
government. Second, concerns about competitive advantage may impede 
information sharing between companies within an industry. Finally, in 
some cases, the mechanisms are simply not yet in place to allow efficient 
sharing of information. 



The strategic goal is to increase the voluntary sharing of informatio 
about cybersecurity between public and private sector entities, as v 
among private sector entities. This goal may be accomplished by: 



• creating a legal and politic 



information might be used. 
Cybercrime 

Once incidents are detected, they must be addressed. A rapid response 



joing at 



mately caused. The nation currently has laws and mechanisms to ensure 
quick responses to large incidents. Response also includes analyzing and 
disseminating practical information to owners and users affected by the 
incident. This is followed, ideally, by investigation, arrest, and prosecution 
of the perpetrators, or, in the case of state-sponsored actions, by a diplo- 
matic or military response. Unfortunately, some incidents are not 
reported, and, even when they are, cannot be responded to effectively by 

enforcement capabilities vary significantly 

The strategic goal is to prevent, deter, and significantly reduce cyber 
attacks by ensuring the identification of actual or attempted perpetrators 
followed by an appropriate government response, which in the case of 
cybercrime includes swift apprehension, and appropriately severe punish- 
ment. This can be accomplished by the following means: 

• improving information sharing and investigative coordination 
within the Federal, State, and local law enforcement community 

matters, and with other agencies and the private sector; 

• continuing to assess the adequacy of Federal sentencing guide- 
lines penalties for cybercrime to ensure appropriate punishment 

for cyber offenses; 

• empowering Federal, State, and local law enforcement by 
exploring means to provide sufficient investigative and forensic 
resources and training to facilitate expeditious investigation and 

• developing better data about victims of cybercrime and 



YBERSPACE 



DRAFT 



Market Forces 

Much of cyberspace has a history and tradition of private and unregulated 
operation. Private investment and innovation has made the Internet and, 
more generally, cyberspace the vital and robust infrastructure that it is 
today. As cyberspace has become such an important component of the 
nation's critical infrastructure, the need to make it secure, reliable, and 
resilient has become imperative. This need requires additional investment 
and resources from the owners and suppliers of elements of cyberspace. 



at the 



• developing greater transparency of security preparedness, ar 
promoting best practices, possibly through self-regulating 
organizations such as market exchanges; and. 



Privacy and Civil Liberties 

The nation's Strategy must be consistent with the core values of its open 
and democratic society Accordingly Americans expect government and 
industry to respect their privacy and protect it from abuse. This respect for 
privacy is a source of our strength as a nation; accordingly one of the 
most important reasons for ensuring the integrity reliability availability 
and confidentiality of data in cyberspace is to protect the privacy and civil 
liberties of Americans when they use — or when their personal information 
resides on — cyber networks. To achieve this goal, the National Strategy 
incorporates privacy principles — not just in one section of the Strategy, 
but in all facets. The overriding aim is to reach toward solutions that both 
enhance security and protect privacy and civil liberties. 




The strategic goal is to achieve security in cyberspace 
without infringing on individual privacy and civil liberties. This 
goal can be accomplished through the following 



• consulting regularly with privacy advocates, industry experts, and 
the public at large to ensure broad input into, and consideration 
n implementing the National Strategy to 
that protect privacy while enhancing network 
and host security; 



Developing National Plans and Policy 

the cyber infra- 
id for situations in which the infrastructure fails, whether c 
a natural occurrence. The consequences of such a failure 
roughly understood. Because critical infrastructur 

these consequences can be complex and complicated 
iderstood, the nation must have a plan to respond to 
efficiently and effectively A discussion of four important 



ighly 



Analysis and Warning 



The nation's ability to respond to cyber outages or attacks depends, first, 
on its ability to detect incidents early Today, multiple organizations, both 
government and private, collect information about events and new 
vulnerabilities that occur on the Internet and connected networks and 
information systems. Organizations are also in place to disseminate this 
information to those who need it to help mitigate potential negative 
impacts. Some industry seaors have information sharing and analysis 
centers (ISACs) to spread early-incident information to all companies in 
that sector. ISACs and government share information on a two-way basis. 



:e providers, (ISPs), and the 
a whole, do not have a single collection an 
in point for issuing warnings of incidents 
10 clearly defined, joint incident response pr 
or team, forward looking analysis capabilities are sparse and 
suffer from lack of information. Moreover, incident information is 
often source sensitive and may have national security implications. 

The strategic goal is to detect incidents at their eariies 
respond to them efficiently; and, to the extent possibli 
advance. This goal can be accomplished by: 



• encouraging expanded sharing and analysis of data by public- 
private entities; and, 

• facilitating the improvement and expansion of incident response 
capabilities. 

Continuity of Operations, Reconstitution and Recovery 

The nation could benefit from an integrated public-private plan for 
responding to significant outages or disruptions in cyberspace. Many 
organizations have plans for how they will recover their cyber network 
and capabilities in the event of a major outage or catastrophe. However, 
there is no mechanism for coordinating such plans across the private and 

The strategic goal is to provide for a national plan for continuity of opera- 
tions, recovery, and reconstitution of services during a widespread outage 
of information technology systems in one or more sectors. Accomplishing 
this goal is possible through public-private efforts that will: 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 



• coordinate and regularly update the development of 
cybersecurity contingency plans, including a plan for recovering 
et functions 




ie right to respond in an appropriate 
when U.S. vital interests are threatened by attacks 
through cyberspace. 

group or other adversary attacks the United 
States through cyberspace, the U.S. response need not be limited to crim- 
inal orosecution or even to information warfare means. The United States 
resen/es the right to respond in an appropriate manner when its vital 
interests are threatened by attacks through cyberspace, just as it would 
with any other kind of aggression. 

Interdependency and Physical Security 

damage occurs to one infrastructure, others are often affected. 
Events in cyberspace can impact systems in physical space, and vice versa. 
A train derailed in a Baltimore tunnel and the Internet slowed in Chicago. 
A campfire in New Mexico damaged a gas pipeline and IT-related produc- 
tion halted in Silicon Valley A satellite spun out of control hundreds of miles 
above the Earth and affected bank customers could not use their ATMs. 

nanifestations: the buildings and conduits 
3ns and Internet networks. These physical 
;n designed and built to create redundancy and avoid 
ingle points of failure. Nonetheless, the carriers and service providers 
independently and collectively continue to analyze their networks 
strengthen reliability and Intentional redundancy The FCC, through its 
Reliability and Interoperability Council (NRIC), and the Board 
through the National Security Telecommunications Advisory Committee 
(NSTAC), can contribute to such efforts and should identify any govern- 
impediments to strengthening the national networks. 



• foster information sharing between ov 
infrastructure, government, and privati 
to model systems and develop solutior 



eness among cyber infrastructure owi 
operators of the potential impacts that the loss o 
infrastructure might have on others, and steps to 



DRAFT 



RECOMMENDATIONS 



A public-private partnership should refine and accelerate the 
adoption of improved security for Border Gateway Protocol, 
Internet Protocol, Domain Name System, and others. 
A public-private partnership should perfect and accelerate the 
adoption of more secure router technology and management, 
including out-of-band management. 

Internet service providers, beginning with Tier 1 companies or 
major access providers, should consider adopting a "code of good 
conduct" governing their cybersecurity practices, including their 

A public-private partnership should identify and address fundamental 
technology needs for the Internet, possibly making use of the existing 
programs and potentially establishing a fund for such activities. 
A public-private partnership should, as a high priority, develop 

systems (SCADA) in utilities, manufacturing, and other networks. 



ind industry, worl 
al DCS/SCADA-rel 



nership, st 



er adopting the Department of 
Energy's "27 Steps to Improve Cybersecurity of SCADA Networks." 
The R&D committee of the President's Critical Infrastructure 
Protection Board (PCIPB) should undertake a comprehensive 
review and gap analysis of existing mechanisms for outreach, iden- 
tification and coordination of research and development among 
academia, industry and government. The committee will complete 
its work and present its re 



to the PCIPB in 



The President's Board should coordinate with the Director of OSTP 
and the Board's RSD Committee on an annual basis to define a 

including near-term (1-3 years), mid-term (3-5 years), and later (5 
years out and longer) IT security research. 



R4-9 Federally funded near-term IT security research and development 
for FY04 and beyond should include priority programs identified 
by OSTP and the R&D Committee. Existing priorities include, 
among others, intrusion detection, Internet infrastructure security 
(including protocols such as BGP, DNS), application security, denial 
of service, communications security (including SCADA system 
encryption and authentication), high assurance systems, and 

R4-10 The private sector should consider including in near-term research 
and development priorities, programs for highly secure and trust- 
worthy operating systems. If such systems are developed and 
successfully evaluated, the Federal government should accelerate 
procurement of such systems. 

R4-1 1 Federally and privately f urided research and development should 

R4-12 Federal departments and agencies must be especially mindful of 
srou"dmnsiderrnstalliIfgTste^^^^ 

unauthorized^connectio^ns^to their networks. Agencies should care- 
technologies and take into account NIST recommendations and 
findings. In that regard, agency policy and procedures should 
reflect careful consideration of additional risk reduction measures 
including the use of strong encryption, bi-directional authentica- 
tion, shielding standards and other technical security considerations. 



individuals, enterprises, and governnnent of the security issues 
involved in the adoption of wireless technologies, especially th 
utilizing the 802.11b standard and related standards. Industry ; 
government should work closely together to promote the 
continued development of improved standards and protocols f 
wireless LANs that have built-in, transparent security. 
R4-14 A voluntary, industry-led, national effort should consider devel 
oping a clearinghouse for promoting more effective software 

exchange of data about the impact that patches may have on 
commonly used software systems, including, where practicable 
the results of testing. 



R4-16 



lat pror 



grity, se 



>mulgate 



in software code developme 

that diminish the possibilities of erroneous code, maliciou 
or trap doors that could be introduced during developme 
R4-17 The PCIPB's Awareness Committee, in cooperation with lead agen- 
cies, should foster a public-private partnership to develop and 

specific tools and resources for annual awareness training. 

R4-18 The StaySafeOnline campaign should be expanded to include 

national advertising aimed at several audience groups. It should 
also develop materials for schools, and companies. 

R4-19 States should consider creating Cyber Corps scholarship-for-servi 
programs at State universities, to fund the education of under- 
graduate and graduate students specializing in IT security and 
willing to repay their grants by working for the States. The 
existing Cyber Corps scholarship-for-service program should be 

ment and scholarship funding. The program should also add a 
faculty and program development effort for community college 
R4-20 The CIO Council and Federal agencies with cybersecurity training 
expertise should consider establishing a Cyberspace Academy 
I cybersecurity and computer forensics 



ould link Feder< 



R4-21 



raining pr 



The PCIPB's Committee ( 
benefits of establishing 
cybersecurity specialists taking ma) 
efficient, and flexible human resoi 



ining should explon 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 




DRAFT 



LEVEL 5: 
GLOBAL 



through a range of in 



-age all nations to pass adequate cybersecurity laws so that 
w enforcement can investigate and prosecute cybercrime 
itted against the United States and its interests, whether it 



Issues and Challenges 

The U.S. interest in promoting cybersecurity extends well beyond its bor- 
ders. Critical domestic information infrastructures are directly linked with 
Canada, Mexico, Europe, Asia, and South America. The nation's economy 
and security depend on far-flung U.S. corporations, military forces, and 
1 trading partners that, in turn, require secure and reliable global 
information networks to function. The vast majority of cyber attacks origi- 
nates or passes through systems abroad, crosses several borders, and 

1998, the United States received a wake-up call to the national security 
mensions of the threat. Eventually dubbed "Solar Sunrise," this incident 
und U.S. military systems under electronic assault, with computer sys- 
ms in the United Arab Emirates the apparent source. Unclassified logis- 
:s, administrative, and accounting systems essential to the management 
id deployment of military forces were penetrated at a time that military 
tion was being considered against Iraq due to its failure to comply with 
M inspection teams trying to uncover evidence of weapons of mass 



It was eventually learned that two California teenagers 
under the guidance and direction of a sophisticated Israeli 
hacker, himself a teenager, had orchestrated the attacks 
using hacker tools readily available on the Internet. They 
had attempted to hide their involvement by connecting 
through overseas computers. Even cybercrimes committed 
by Americans against U.S. computers often have an inter- 
national component. 

Another event illustrated the threat to the global economy 



clogged syste 
lyzed large pj 



:y Ultimately, 



■of-service (DDoS) 
Internet. Only through close coop- 
eration between U.S. and Canadian law enforcement 
investigators was it discovered that a Canadian teenager, 
operating under the moniker of "Mafiaboy," had been breaking into 
legions of computers around the worid for many months. Retaining con- 
trol over these compromised servers, he created a "zombie army" which 
on command would flood the servers of his next corporate victim. The 
slowdowns and outages that occurred resulted in more than an estimated 
billion dollars in economic losses. 

Only a few months later, on the morning of May 4, 2000, the "I love 
you" virus began infecting computers around the globe. First detected in 
Asia, this virus quickly swept around the world in a wave of indiscriminate 
attacks on government and private sector networks. By the time the 
destructive pace of the virus had been slowed, it had infected neariy 60 
million computers and caused billions of dollars in damage. Cooperation 
among law enforcement authorities around the world led to the identifi- 
cation of the perpetrator, a computer science dropout in the Philippines. 



Together, these incidents make clear that U.S. domestic efforts alone can- 
not deter or prevent this tide of attacks. We must work closely with our 
international partners to put into place those cooperative mechanisms 
that can help prevent the damage resulting from such attacks; and if pre- 

Discussion of Strategy 

cyberspace security globally and will disseminate key policy messages 
through the full array of bilateral, multilateral and international fora, as 
appropriate. These initiatives will: build real-time, "24/7" watch-and- 
warning networks to identify incidents and stop them; establish and link a 
network of cyberspace security coordinators in each nation; use international 



DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 




DRAFT 




DRAFT 



NATIONAL STRATEGY TO SECURE CYBERSPACE 




DRAFT 



